How We Helped an Austrian Company Recover 10TB from SafePay Ransomware
Earlier this month, we were contacted by the IT lead of a mid-sized industrial firm based in Linz, Austria. Their organization had just suffered a massive ransomware attack, and all signs pointed to the SafePay ransomware variant—identifiable by the .safepay
file extension and the ransom note readme_safepay.txt
.
In total, the company had over 10 terabytes of data encrypted, affecting Windows servers, shared drives, and several production systems. The attack had completely frozen operations, causing significant downtime and business disruption.
First Contact and Initial Assessment
The IT investigator reached out to us via WhatsApp, having come across our website and reading about successful recoveries involving the SafePay Decryptor. After a quick conversation, we asked them to share a few sample encrypted files so we could verify compatibility.
They sent us three PDF files, each of which had been encrypted by the ransomware. We ran these samples through our internal verification process on our main server, where we maintain dedicated tools for SafePay-related cases.
Within minutes, we decrypted the files successfully.
To demonstrate that recovery was possible, we took screenshots of the decrypted PDFs alongside their encrypted versions and sent them back to the client as proof.
Proposal and Approval
After seeing the decrypted PDFs, the client’s team presented our solution to their management. We quoted them 0.10 BTC for a full recovery, including the decryptor, user instructions, and support. The next day, the payment was confirmed, and we immediately began generating their custom decryptor.

Delivery and Deployment
Within 30 minutes of payment confirmation, we emailed the client:
- The SafePay Decryptor
- A step-by-step usage guide
- Instructions on how to use the Device ID from the ransom note for authentication
The decryptor was designed to connect to our online recovery servers, which allowed us to bypass the encryption logic used by the ransomware. We advised the client to deploy the decryptor on an isolated machine first, to ensure a smooth and secure process.
Successful Recovery
The decryption process was launched the same day. The IT team reported that everything ran smoothly. Over the next 5–6 hours, they were able to decrypt all 10TB of affected data without any corruption or loss.
Key assets recovered included:
- Financial documents
- HR files
- Engineering CAD drawings
- Internal project records
- Licensing and compliance documents
By the end of the day, their systems were back online, and their production resumed.
Client Feedback
The next morning, we followed up via WhatsApp to check how things went.

One Comment